[Snort-users] Rules & reference (ACID)

roman at ...438... roman at ...438...
Sat Nov 17 12:33:03 EST 2001


I believe this issue has been addressed in ACID v0.9.6b18. 

Roman

On Sat, 10 Nov 2001, Marc-Andre Hamelin wrote:
 
> 
> I had the same problem on a few occasions (with the same rule). Most of the
> alerts for this rule are ok except some of them has only [] as reference.
>
> It causes an error in mysql when I try to archive these alerts or if these
> alerts are part of a bigger selection that I want to archive. So I have to
> delete them first.
> 
> I'm using ACID beta 17 with snort 1.8.1
>
> I don't know what could cause this problem, but I must admit that I didn't
> have the time to  look at it. I don't have the message generated by the
> error anymore, at least until I get the problem again :)
>
> 
> Someone has an idea ?
> 
> 
> Marc
> 
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Bruno
> Gimenes Pereti
> Sent: 10 novembre, 2001 08:27
> To: Snort-Users
> Subject: Re: [Snort-users] Rules & reference (ACID)
> 
> 
> Hi Jeff,
> 
> Thank's for answer. I think I didn't express well (my english is horrible).
> I was trying to say there is no link in that "[url]". When I wrote [CVE] was
> just an example that points me to somewhere, it could be [Bugtraq] or so.
> I'll update ACID anyway...
> If It don't show me the link I write again...
>
> Thank's.
> 
> Bruno Gimenes Pereti.
> 
> ----- Original Message -----
> From: "Jeff Dell" <jdell at ...1095...>
> To: "'Bruno Gimenes Pereti'" <pereti at ...3411...>; "'Snort-Users'"
> <snort-users at lists.sourceforge.net>
> Sent: Saturday, November 10, 2001 11:01 AM   
> Subject: RE: [Snort-users] Rules & reference (ACID)
>
>
> > Bruno,
> >
> > There is nothing wrong with seeing "[url]" in acid. Take a look at the
> > rule that triggered the alert:
> > alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"WEB-MISC readme.eml  
> > autoload attempt"; flags:A+; content:"window.open(\"readme.eml\"";
> > nocase; classtype:attempted-user; sid:1290; rev:3;
> > reference:url,www.cert.org/advisories/CA-2001-26.html;)
> >
> > As you an see that the reference points to a url. It is a big difference
> > from CVE. CVE's are maintained by MITRE and are directed to the MITRE
> > web page. Url's can point to any webpage.
> >
> > As far as updating your version of Acid. I would make sure you have the
> > latest beta which is 17. There have been some changes lately that make
> > Acid more stable and feature rich.
> >
> > Jeff



---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/






More information about the Snort-users mailing list